The Homeland Security Department no longer has multiple policies that instruct different components how to address privacy issues.
The department’s privacy office issued a handbook in October that streamlines and makes consistent how DHS as a whole addresses privacy.
“What’s new here is this is one document that provides uniformity across the department,” says Hugo Teufel, DHS chief privacy officer. “It sets a floor from which all components can start from.”
He adds the 19-page handbook brings together existing policies, agency directives and Office of Management and Budget policy in one place.
By putting privacy issues together in one place, Teufel says training becomes easier and more consistent as well.
“This document is far more concise and readable and more accessible to the average employee,” he says. “You get a better sense of what you are supposed to do and can more easily understand what needs to be safeguarded.”
The handbook addresses what sensitive data is, how to protect it, what should an employee do if they suspect an incident.
It also addresses 16 frequently asked questions (FAQs), including how employees can minimize the use of sensitive data and how should an employee dispose of sensitive data.
The handbook also shows employees how to encrypt data through pictures of drop down menus and step-by-step directions.
Teufel says the ability to encrypt data is important because many employees use e-mail or take data that may be sensitive out of the building because DHS is split up among several locations around Washington.
“The most significant to me on the list of FAQs is the discussion of securing data on portable devices,” he says. “It is not common for someone at DHS to walk down the hallway to discuss a matter. Mostly we use electronic means of communications.”
Additionally, the handbook addresses paper documents and how to ensure they are kept private and secure.
“People need to be cognizant of the danger of not locking paper documents up in a safe when they are not in use,” he says. “If you can’t encrypt it, put it under lock and key.”
Teufel says DHS is just now issuing this handbook for two main reasons: the first is they are complying with a 2007 OMB memo on safeguarding personal identifiable information; and second the maturity of the department’s privacy processes.
Teufel points to his office’s progress in updating almost 300 legacy system of records notices (SORNs) as an example of that maturity. When Congress put DHS together, the privacy office inherited a significant number of SORNs that needed to be updated.
Agencies must update their SORNs every three years or anytime there is a major change to a system. Agencies must write a SORN for any system that contains public records, what the agency is using the information for and how long it will it retain it.
Over the last two years, Teufel says his office has made it a priority to get them done.
He says his office in the final stages of sending all of its legacy SORNs to OMB for approval.
Teufel says the handbook is the latest in a number of guidances that his office has issues around privacy.
“We really have advanced the agenda of the department,” he says. “We’ve done a good job with training. We haven’t done everything we’ve wanted to do. I think training will be one of those areas that will see significant growth in the coming year.”